CIBER has not shown the resorces to provide a reliable product. The current quality managment plan requires more time to spend on managing the process than they appear to have available and it was clear during the assessment visit that they had not accepted that they have a responsibility to provide quality reviewed reports that show what was done in testing. The ITA Practice Director indicated during the assessment that their difficulties were that corporate CIBER did not allow for the personnel resource time for quality management functions but there may be other alternatives for allocating the resources.

In addition, during the review, ITA Practice Director indicated that the testing for a product tends to either use vendor developed tests or new tests developed specifically for the product — they have no standard test methods defined. This makes their testing dependent on the vendor input and vulnerable to unique vendor interpretations rather than a core validated set of internal references for training and testing.

Friday, January 26, 2007

This story by Clare Dyer in the UK's Guardian Unlimited quotes Britain's Director of Public Prosecutions, Sir Ken Macdonald.

The director of public prosecutions, Sir Ken Macdonald, put himself at odds with the home secretary and Downing Street last night by denying that Britain is caught up in a "war on terror" and calling for a "culture of legislative restraint" in passing laws to deal with terrorism.

Sir Ken warned of the pernicious risk that a "fear-driven and inappropriate" response to the threat could lead Britain to abandon respect for fair trials and the due process of law...

"It is critical that we understand that this new form of terrorism carries another more subtle, perhaps equally pernicious, risk. Because it might encourage a fear-driven and inappropriate response. By that I mean it can tempt us to abandon our values. I think it important to understand that this is one of its primary purposes." ...

"The fight against terrorism on the streets of Britain is not a war. It is the prevention of crime, the enforcement of our laws and the winning of justice for those damaged by their infringement."

Thursday, January 25, 2007

A Reuters story by Alison Doyle previews an about-to-be-released report on a study by a panel of 2,500 scientists who advise the United Nations on climate. It estimates that sea levels will keep rising for more than 1,000 years even if governments manage to slow a projected surge in temperatures this century blamed on greenhouse gases.

"Twenty-first century anthropogenic (human) carbon dioxide emissions will contribute to warming and sea level rise for more than a millennium, due to the timescales required for removal of this gas," the sources quoted the report as saying.

The "good news" is that the rise is likely to be only 11 to 17 inches in this century. Still, rising seas would threaten low-lying Pacific islands, coasts from Bangladesh to Florida and cities from Shanghai to Buenos Aires.

In New Delhi, IPCC chairman Rajendra Pachauri said he hoped the report would shock governments into action.

"I hope this report will shock people, governments into taking more serious action as you really can't get a more authentic and a more credible piece of scientific work," he told Reuters.

Starting on Christmas Eve, a ring of thieves -- mistaken by neighbors as a moving crew -- removed $2.5 million in art, antiques and rugs from a Jackson Street mansion in San Francisco's Presidio Heights, taking two truckloads of loot without being detected.

It took months of planning to execute but afterward just days to become a perfect mess -- when one of the burglars decided to try to sell back some of the loot to the victim.

Friday, January 19, 2007

Many warnings, several federal and state laws, and a number of court cases have focused on the dangers to children presented by the Internet, notably child pornography and enticement leading to sexual abuse.

While most people would agree that all abuse of children is unacceptable, they would probably agree that the bulk of protective efforts should be directed against the most common sources of abuse. Surprise! The Internet isn't one of them.

A thoughtful post by Pete Reilly presents and analyzes the data. The source of most of the abuse is parents (79%), other relatives (6%), and unmarried partners of parents (4%). Instead of the Child Online Protection Act (COPA) and its ilk, it's time for legislators to focus on the most common abusers, don't you think?

(01-19) 07:13 PST Lindenhurst, N.Y. (AP) --Three thieves who allegedly stole 14 global positioning system devices didn't get away with their crime for long. The devices led police right to their home.

Town officials said the thieves didn't even know what they had: they thought the GPS devices were cell phones, which they planned to sell.

According to Suffolk County police, the GPS devices were stolen Monday night from the Town of Babylon Public Works garage in Lindenhurst. The town immediately tapped its GPS system, and it showed that one of the devices was inside a house. Police said that when they arrived there, Kurt Husfeldt, 46, had the device in his hands.

Husfeldt was charged with criminal possession of stolen property. His 13-year-old son also was arrested on grand larceny charges.

Thursday, January 18, 2007

This post by Bruce Schneier argues that computer insecurity is largely due to the fact that its costs are not borne by those with the power to eliminate it--i.e., are an externality.

Information insecurity is costing us billions. There are many different ways in which we pay for information insecurity. We pay for it in theft, such as information theft, financial theft and theft of service. We pay for it in productivity loss, both when networks stop functioning and in the dozens of minor security inconveniences we all have to endure on a daily basis. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for the lack of security, year after year.

Fundamentally, the issue is insecure software. It is a result of bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the myriad effects of insecure software. Unfortunately, the money spent does not improve the security of that software. We are paying to mitigate the risk rather than fix the problem.

The only way to fix the problem is for vendors to improve their software. They need to design security in their products from the start and not as an add-on feature. Software vendors need also to institute good security practices and improve the overall quality of their products. But they will not do this until it is in their financial best interests to do so. And so far, it is not...

Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem. If this is done, companies will come up with the right technological solutions that vendors will happily implement. Fail to solve the economics problem, and vendors will not bother implementing or researching any security technologies, regardless of how effective they are.

Unfortunately, virtually all software now comes with what I call a Kodak warrantee: "Liability limited to replacement cost of unexposed film." Sometimes not even that.

Monday, January 08, 2007

A National Geographicarticle by Richard A. Lovett reports on "more than 200 human-caused temblors, mostly in the past 60 years," the majority from coal mining.

The most damaging earthquake in Australia's history was caused by humans, new research says.

The magnitude-5.6 quake that struck Newcastle, in New South Wales, on December 28, 1989, killed 13 people, injured 160, and caused 3.5 billion U.S. dollars worth of damage.

That quake was triggered by changes in tectonic forces caused by 200 years of underground coal mining, according to a study by Christian D. Klose of Columbia University's Lamont-Doherty Earth Observatory in Palisades, New York.

The quake wasn't enormous, but Australia isn't generally considered to be seismically active and the city's buildings weren't designed to withstand a temblor of that magnitude, Klose said.

All told, he added, the monetary damage done by the earthquake exceeded the total value of the coal extracted in the area... [emphasis mine]

Three of the biggest human-caused earthquakes of all time, he pointed out, were a trio that occurred in Uzbekistan's Gazli natural gas field between 1976 and 1984. Each of the three had a magnitude greater than 6.8, and the largest had a magnitude of 7.3...

But as far as he knows, mining engineers aren't examining this, because they are currently unaware of the earthquake risk.

The danger is also relevant to proposals to sequester carbon dioxide by injecting it into geologic formations deep underground where the gas cannot escape and contribute to global warming.

"That alters stress in the crust [too]," Klose said, adding that the risk of earthquakes should be taken into account in planning the locations of such facilities...

A carbon-sequestration plan could reduce the risk of some types of damage (such as from hurricanes, which some scientists say are being strengthened by global warming), while increasing the risk of others, like earthquakes.

A Computerworldarticle by Ben Rothke argues that we could make e-voting machines as trustworthy as Boeing 777s, if only we went about it in the right way.

The pro-e-voting camp focuses on the need to get away from feeble mechanical voting machines. The other side focuses on how insecure e-voting systems are and says they could threaten fair and accurate elections. The truth is that both camps are right....

Going digital for digital’s sake without ensuring that proper precautions have been taken is shortsighted and, when it comes to e-voting, a significant threat to democracy...

To ensure a robust and secure e-voting system, the U.S. government should establish an open standardization process and solicit input on requirements and other criteria from product manufacturers, standards organizations, citizens, information security and privacy experts, federal, state and local governments, and others.

Given that a single attacker can taint an entire election, the process of securing an e-voting system must be open for public analysis. The more eyes that analyze e-voting source code, the better we will be able to find and eliminate flaws. As it stands now, the e‑voting vendors guard their proprietary software and refuse to allow the public to analyze it. This cavalier, “trust me” attitude is intolerable.

Don’t think for a minute that opening up the software is an invitation for attack. Making source code available for analysis is a proven practice for finding flaws and weaknesses. Such peer review has historically been one of the best ways to determine the underlying security of a system. A perfect example of this is the Advanced Encryption Standard algorithm, which governments and financial institutions around the world use to secure data. AES was chosen to be a standard only after years of public examination and analysis.

“Secure e-voting” is not an oxymoron. Getting to that point simply takes a rigorous open-engineering approach. It is up to the voting public to demand it, the government to administer it and the vendors to deliver it.